I’m changing the Wordpress theme of this blog back to the default (kubrick). I’ll edit it to make the layout similar to the layout of the previous theme (wuhan). Also I’ll finally get around to making the Photos section and a new About section. The Photos section will use gallery.
It’s tough to speak in terms of days when you don’t sleep and don’t see the sun/moonlight but I can safely say the 1st day of the Giga Lan Party is over. Apart from the network taking around 12h more time to set up than anticipated, I think that everything is something… 2 days with virtually no sleep has rendered me pretty much unable to write. 3 days to go…
PS: Counter Strike Source pwns IMO.
How We Built the Quintessential Sentry Gun
The Giga Lan Party at Estádio do Dragão, Porto, Portugal, will start on the 29th of September and will last 4 days! It will feature:
- Kickass bandwidth (guess where the giga comes from?)
- Games (including WCG stuff)
- Linux Installation Party
- Other stuff 
I’ll be there, that’s for sure.
I’ll be there for sure.
I am now (since Friday) officially a student of LEIC (Informatics and Computing Engineering). I had been a LEEC (Electrical and Computers Engineering) student for the past 3 years. Those who know me well know that I don’t exactly like to publicly admit to making mistakes (which I’ve been known to make on very very rare occasions). Even though I realized LEEC wasn’t really what I wanted I tried to stick with it. Eventually last year I decided that it wasn’t working out and finally decided to switch to LEIC.
The good news came out sometime Friday afternoon: after lunch I went for a small 2-3h SOF2 deathmatch at a friend’s house. When it was time for me to go, another friend decided to type /ignore 1234567890. It was funny to watch the look on the other guy’s face for a second until he understood why the game crashed (because we burst into laughter). Maybe I should think before telling my friends about exploits in the games we play… nah! It’s more fun this way. After I left I went over to FEUP, got the good news and went home. I decided some sort of celebration was in order so I’ve been watching Dark Angel eps – I’m done with season 1 
. Deem Jessica Alba is teh ubber cute hotness.
Marcus Ranum’s newest essay entitled The Six Dumbest Ideas in Computer Security makes for an interesting read. Obviously I don’t agree with some of it.
#1) Default Permit – agreed.
#2) Enumerating Badness – agreed.
#3) Penetrate and Patch
Penetrate and Patch is a good idea. It is just abused. It was never meant to replace good design in creating good software (or secure networks). The fact is the designer(s) of an application or a network (or any number of things) might not notice a flaw with it. In fact, in Richard Fenyman’s “Personal Observations on the Reliability of the Space Shuttle” the idea behind penetrate and patch is present (my emphasis):
The software is checked very carefully in a bottom-up fashion. First, each new line of code is checked, then sections of code or modules with special functions are verified. The scope is increased step by step until the new changes are incorporated into a complete system and checked. This complete output is considered the final product, newly released. But completely independently there is an independent verification group, that takes an adversary attitude to the software development group, and tests and verifies the software as if it were a customer of the delivered product. There is additional verification in using the new programs in simulators, etc. A discovery of an error during verification testing is considered very serious, and its origin studied very carefully to avoid such mistakes in the future. Such unexpected errors have been found only about six times in all the programming and program changing (for new or altered payloads) that has been done. The principle that is followed is that all the verification is not an aspect of program safety, it is merely a test of that safety, in a non-catastrophic verification. Flight safety is to be judged solely on how well the programs do in the verification tests. A failure here generates considerable concern.
To summarize then, the computer software checking system and attitude is of the highest quality. There appears to be no process of gradually fooling oneself while degrading standards so characteristic of the Solid Rocket Booster or Space Shuttle Main Engine safety systems.
That is how every application should be developed. Unfortunately somewhere along the line we began to tolerate poorly designed, poorly programmed software until it became the norm and well designed, carefully programmed software became the anomaly (software like Qmail). Making reliable, secure software is more expensive and time consuming than making unreliable software destined to be hacked over and over again. Because reliability and security is not required by the customers, software development firms opt to create poorly designed software and adopt low quality software checking systems.
To summarize, the problem isn’t “Penetrate and Patch” it’s the fact that the good design and careful testing that should precede it have been abandoned.
#4) Hacking is Cool
Hacking is cool. This seem to be more about Ranum hating hackers than anything else. He starts by comparing hackers to cockroaches in a weird analogy. No it’s not cool to break into servers and copy credit card info and other stuff. It’s not cool to threaten online businesses with distributed denial of service attacks. But it is cool to brake software and it certainly requires brains. There’s nothing brilliant about typing
./exploit
but going from a segmentation fault because of a few extra characters copied into a buffer to executing any code you want is brilliant. Same for starting with the knowledge of what information goes into log files and what programs will process it to getting those programs to do something you want them to do. And you just got love packet kung fu like inverted syn cookies.
Yes we should learn how to design security systems that are hack-proof but how can we design such systems if we don’t know how they can be hacked? How hacking works? How those systems can fail? How can we say that something is safe if we don’t understand what can go wrong? We can’t. Without a full understanding of the causes of failure, the processes and circumstances that lead to it, we cannot realistically expect to make a system that will not fail. This is closely related to the previous so called “dumb idea” of penetrate and patch.
#5) Educating Users
Overall I tend to agree. You need to not only protect users from whatever may threaten them but also protect the system from the users. And do not underestimate your users resourcefulness and determination to bypass whatever restrictions you attempt to impose. For example, when executables files started being removed from emails based on their extension, users renamed files. When FEUP introduced software to prevent gaming in their computers, users quickly found a way around it simply by using upx.
That said, some user education is probably a good thing – just don’t rely on it.
#6) Action is Better Than Inaction – agreed.
The Minor Dumbs – agreed.
Three Papers on Worms (all via wormblog) I want to read tomorrow:
On Deriving Unknown Vulnerabilities from ZeroDay Polymorphic and Metamorphic Worm Exploits (direct link to the PDF).
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic (direct link to the PDF)
The Latest in Internet Attacks: Web Application Worms (direct link to the PDF)
The is also a blog entry at Thomas Ptacek’s blog entitled The Real Answer To Worm Propagation which I’ll read tomorrow (too tired right now).
The EU backs plans for .kid TLD. A TLD for kids is a good thing for businesses that have websites for kids. What sort of upsets me is why the EU is backing it:
“It is felt that educators could not solely rely on technology, but also that businesses could not escape their responsibilities under the pretext that parental control would suffice and that governments had a duty to introduce rules that would protect the weakest members of society.”
Sigh. Just what society needs: more censorship. This is a scary trend. In the US the censorship knob was turned after the thing with Janet Jackson at superball. Boobies! Pffft. Big deal! Then there was the thing with GTA. More nonsense. Some people seriously need to lighten up and polititians that try to start witch hunts should be burned alive. That said, some censorship might be needed – it’s probably not a good idea to have young kids look at pictures from the crime scene of a serial killer or scenes from a gay marriage.
From a technical standpoint:
DENY: ALL
ALLOW: .kid
is a very good idea but not enough. Continuous content inspection of all .kid websites would probably be too expensive… well… expensive. So I can certainly see ISPs not caring. Governmental and Non-Governmental organizations would help. But it still wouldn’t be enough. I can only think of a good solution: the parental control software would still detect “bad pages” the way it does now and block them. .kid websites could be broken into and harmless content be replaced with “bad stuff” or they could simply be setup by “bad people” and harmful content could be made less obvious, hidden three or more clicks away – perhaps enough to escape more relaxed human detection. So what would happen when parental control software found what it believed to be “bad stuff” in a .kid website? It would block it, log it and later present it to the administrator (e.g. one of the parents) pointing out why it considered the content of the site “bad”. The software would allow then allow the site to be reported as bad, either to a government agency, an NGO, the software maker or a combination of those. Additionally crawlers would search through all the .kid websites in search of “bad stuff”. These would have to use techniques to avoid and evade detection 
No software will be able to detect all “bad stuff” in text/html let alone in flash animations, images and stuff. The safest solution is to rely on all the above AND make a list of “good sites” and restrict browsing to them. Again, these “good sites” could be broken into so in the end, it is impossible to secure unsupervised browsing. Not to mention that it would certainly cripple the “internet experience” way too much…
FEUP announced today the release of FEUP Live 2005 (DVD Edition). FEUP Live is a knoppix-based live cd linux distribution made by the student group Chefax R&D for all engineering students at FEUP (which does not preclude it from being used by engineering students elsewhere or for that matter anyone else). It includes applications such as Maxima and Octave and provides easy access to FEUP resources such as the application server and webmail.
I made a couple of scripts for it. Screenshot (2004) and usage of one of them.
I just listened to Episode 3 of Security Now which finally convinced me Podcasts aren’t a waste of bandwidth. It makes a point I’ve been trying to make for a while now: that broadband routers can provide a lot of security (assuming reasonable configuration, i.e. UPnP and WAN Admin disabled) to a home computer/network. I have one from linksys, a BEFSR41. A few days ago, a friend of mine told me he that his firewall which was his old PC, slightly modified and runing SmoothWall has a problem – the power consumption is too high which means more money out of his pockets and into EDP’s bottomless pockets every month. He also said that he didn’t want to connect to the internet without a firewall so I recommended a router like the one I have. I can’t remember if software firewalls were mentioned… probably. The point is, broadband routers are certainly worth considering. Personally I’d rather have my own custom firewall but initial cost (getting the hardware) and/or maintaining it (the power consumption) is too high.
Early last week I also installed a software firewall, the kerio personal firewall. I did this among a lot of other things after I became convinced that there was some sort of malware on my box. It turned out the malware was just a creation of my paranoia. I suspected malware mainly because Bitdefender found Trojan.Downloader.Vbs.Small.S in a temp file on my computer. To the best of my knowledge it was never executed. Neverthless, paranoia took over and I ended up wasting several hours.
Additional Links:
SysInternals – home of filemon, TCPView and more great windows utilities.
Ethereal – A Network Protocol Analyzer
WinDump – tcpdump for Windows
NAT Router Security Solutions
How To Keep Your Computer Spyware Free – Basic Windows Security
